[libvirt] Per-guest configurable user/group for QEMU processes
Marcelo Henrique Cerri
mhcerri at linux.vnet.ibm.com
Wed Mar 7 17:35:38 UTC 2012
On Mon, 27 Feb 2012 12:48:55 -0300
Marcelo Cerri <mhcerri at linux.vnet.ibm.com> wrote:
Just one more point. I'd like to validate the direction that I'm
getting.
I updated the XML parse and replaced the "seclabel" member in
virDomainDef with:
size_t nseclabels;
virSecurityLabelDefPtr *seclabels;
I also added a "model" field in virSecurityLabelDef to identify the sec
driver. So, my idea is to replace any access to the seclabel with a
search by the model name. So, for example, instead of using
secdef = def->seclabels;
I'll use:
secdef = virDomainDefGetSecurityLabelDef(def,
SECURITY_SELINUX_NAME);
virDomainDefGetSecurityLabelDef will search for a seclabel with the
given model/name.
I'm having to update too many parts in the code and I'd like
to save some time if this is not the right direction.
Regards,
Marcelo
> Great. I think it is a good approach. The lack of an enclosing tag
> still bothers me. But, as you said, there's no serious problem not
> having it and I can live with that :)
>
> I believe the primary driver should be defined in qemu.conf, so I
> would like to replace the "security_driver" config with two new
> configs: primary_security_driver and additional_security_drivers. The
> last one would contain a list of security divers separated by commas,
> for example:
>
> primary_security_driver = "apparmor"
> additional_security_divers = "dac,another_driver"
>
> For device seclabel's, I intend to add a "model" attribute to specify
> which security driver is being overriding (if it's not given, the
> primary driver is considered).
>
> <domain ...>
> ...
> <devices>
> <disk type='file' device='disk'>
> <source file='/path/to/image1'>
> <seclabel relabel='no' model='dac'/>
> </source>
> ...
> </disk>
> <disk type='file' device='disk'>
> <source file='/path/to/image2'>
> <seclabel relabel='yes' model="selinux">
> <label>
> system_u:object_r:shared_content_t:s0
> </label>
> </seclabel>
> </source>
> ...
> </disk>
> ...
> </devices>
> <seclabel type='dynamic' model='selinux'>
> <baselabel>text</baselabel>
> </seclabel>
> <seclabel type='static' model='dac'>
> <label>501:501</label>
> <imagelabel>501:501</imagelabel>
> </seclabel>
> </domain>
>
> What do you think?
>
> Regards,
> Marcelo
>
> On 02/23/2012 07:34 PM, Daniel P. Berrange wrote:
> > On Thu, Feb 23, 2012 at 06:38:45PM -0200, Marcelo Cerri wrote:
> >> On 02/23/2012 05:47 PM, Daniel P. Berrange wrote:
> >>> On Thu, Feb 23, 2012 at 05:41:27PM -0200, Marcelo Cerri wrote:
> >>>> Hi,
> >>>>
> >>>> I'm starting working on an improvement for libvirt to be able to
> >>>> support per-guest configurable user and group IDs for QEMU
> >>>> processes. Currently, libvirt uses a configurable pair of user
> >>>> and group, which is defined in qemu.conf, for all qemu processes
> >>>> when running in privileged mode.
> >>>>
> >>>> This topic was already commented in qemu mailing list
> >>>> (http://lists.nongnu.org/archive/html/qemu-devel/2011-10/msg00758.html)
> >>>> but, as this requires changes in libvirt API, I'd like to
> >>>> discuss what would be the best solution for it.
> >>>>
> >>>> A solution (as proposed in the link above) would be to extend the
> >>>> security driver model to allow multiple drivers. In this case, an
> >>>> example of the XML definition would be:
> >>>>
> >>>> ...
> >>>> <seclabel type='dynamic' model='selinux'>
> >>>> <label>system_u:system_r:svirt_t:s0:c633,c712</label>
> >>>> <imagelabel>system_u:object_r:svirt_image_t:s0:c633,c712</imagelabel>
> >>>> </seclabel>
> >>>> <seclabel type='dynamic' model='dac'>
> >>>> <label>102:102</label>
> >>>> <imagelabel>102:102</imagelabel>
> >>>> </seclabel>
> >>>> ...
> >>>>
> >>>> I don't know if this is a clean solution because the usual option
> >>>> would be to enclose the block above in a "<seclabels>" tag. But
> >>>> as this would break the actual API, it's not viable.
> >>>
> >>> While it is true that we would ordinarily have an enclosing tag
> >>> like<seclabels>, there's no serious problem not having it. Just
> >>> having two (or more)<seclabel> elements in a row is just fine,
> >>> given our backwards compatibility requirements.
> >>>
> >>> So I think this option is just fine.
> >>
> >> I agree that this is a good solution, considering the XML
> >> compatibility. But, what about virDomainGetSecurityLabel? It could
> >> access the first security label or ignore the DAC driver (and maybe
> >> another function could be added to access the whole list of
> >> seclabels), but it doesn't seem to be the best solution.
> >
> > We can just keep virDomainGetSecurityLabel()/virNodeGetSecurityModel
> > as only ever handling the primary security driver.
> >
> > Then add some new APIs which are more general
> >
> > int virNodeGetSecurityModelCount(virConnectPtr conn);
> > int virNodeGetSecurityModelList(virConnectPtr conn,
> > virSecurityModelPtr models,
> > int nmodels);
> > int virDomainGetSecurityLabelList(virDomainptr dom,
> > virSecuriyLabelptr labels,
> > int nlabels);
> >
> >
> > Regards,
> > Daniel
>
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
>
More information about the libvir-list
mailing list